package com.wso2.openbanking.accelerator.identity.token;

import com.nimbusds.jwt.SignedJWT;
import com.wso2.openbanking.accelerator.common.exception.OpenBankingException;
import com.wso2.openbanking.accelerator.common.util.CertificateUtils;
import com.wso2.openbanking.accelerator.common.util.Generated;
import com.wso2.openbanking.accelerator.identity.authenticator.constants.IdentifierHandlerConstants;
import com.wso2.openbanking.accelerator.identity.internal.IdentityExtensionsDataHolder;
import com.wso2.openbanking.accelerator.identity.token.util.TokenFilterException;
import com.wso2.openbanking.accelerator.identity.token.validators.OBIdentityFilterValidator;
import com.wso2.openbanking.accelerator.identity.token.wrapper.RequestWrapper;
import com.wso2.openbanking.accelerator.identity.util.IdentityCommonConstants;
import com.wso2.openbanking.accelerator.identity.util.IdentityCommonHelper;
import com.wso2.openbanking.accelerator.identity.util.IdentityCommonUtil;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:com/wso2/openbanking/accelerator/identity/token/TokenFilter.class */
public class TokenFilter implements Filter {
    private static DefaultTokenFilter defaultTokenFilter;
    private String clientId = null;
    private static final String BASIC_AUTH_ERROR_MSG = "Unable to find client id in the request. Invalid Authorization header found.";
    private static final Log log = LogFactory.getLog(TokenFilter.class);
    private static List<OBIdentityFilterValidator> validators = new ArrayList();

    @Generated(message = "Ignoring because it's a the init method")
    public void init(FilterConfig filterConfig) {
        filterConfig.getServletContext().log("TokenFilter initialized");
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        try {
            this.clientId = extractClientId(servletRequest);
            try {
                ServletRequest cleanClientCertificateAndAppendTransportHeader = cleanClientCertificateAndAppendTransportHeader(servletRequest);
                if (IdentityCommonUtil.getRegulatoryFromSPMetaData(this.clientId)) {
                    cleanClientCertificateAndAppendTransportHeader = getDefaultTokenFilter().handleFilterRequest(appendTransportHeader(cleanClientCertificateAndAppendTransportHeader, servletResponse));
                    Iterator<OBIdentityFilterValidator> it = getValidators().iterator();
                    while (it.hasNext()) {
                        it.next().validate(cleanClientCertificateAndAppendTransportHeader, this.clientId);
                    }
                    servletResponse = getDefaultTokenFilter().handleFilterResponse(servletResponse);
                }
                filterChain.doFilter(cleanClientCertificateAndAppendTransportHeader, servletResponse);
            } catch (TokenFilterException e) {
                getDefaultTokenFilter().handleValidationFailure((HttpServletResponse) servletResponse, e.getErrorCode(), e.getMessage(), e.getErrorDescription());
            } catch (OpenBankingException e2) {
                if (e2.getMessage().contains("Error occurred while retrieving OAuth2 application data")) {
                    getDefaultTokenFilter().handleValidationFailure((HttpServletResponse) servletResponse, 500, "server_error", "OAuth2 application data retrieval failed." + e2.getMessage());
                } else {
                    getDefaultTokenFilter().handleValidationFailure((HttpServletResponse) servletResponse, 400, "invalid_request", "Service provider metadata retrieval failed. " + e2.getMessage());
                }
            } catch (CertificateEncodingException e3) {
                throw new ServletException("Certificate not valid", e3);
            }
        } catch (TokenFilterException e4) {
            getDefaultTokenFilter().handleValidationFailure((HttpServletResponse) servletResponse, e4.getErrorCode(), e4.getMessage(), e4.getErrorDescription());
        }
    }

    private ServletRequest appendTransportHeader(ServletRequest servletRequest, ServletResponse servletResponse) throws ServletException, IOException, CertificateEncodingException {
        if (!(servletRequest instanceof HttpServletRequest)) {
            throw new ServletException("Error occurred when handling the request, passed request is not a HttpServletRequest");
        }
        Object attribute = servletRequest.getAttribute(IdentityCommonConstants.JAVAX_SERVLET_REQUEST_CERTIFICATE);
        String header = ((HttpServletRequest) servletRequest).getHeader(IdentityCommonUtil.getMTLSAuthHeader());
        if (new IdentityCommonHelper().isTransportCertAsHeaderEnabled() && header != null) {
            return servletRequest;
        }
        if (attribute == null) {
            getDefaultTokenFilter().handleValidationFailure((HttpServletResponse) servletResponse, 400, "invalid_request", "Transport certificate not found in the request");
            return servletRequest;
        }
        RequestWrapper requestWrapper = new RequestWrapper((HttpServletRequest) servletRequest);
        requestWrapper.setHeader(IdentityCommonUtil.getMTLSAuthHeader(), new IdentityCommonHelper().encodeCertificateContent(IdentityCommonUtil.getCertificateFromAttribute(attribute)));
        return requestWrapper;
    }

    @Generated(message = "Ignoring because it's a clean up code")
    public void destroy() {
    }

    @Generated(message = "Ignoring because the method is reading the configuration")
    public DefaultTokenFilter getDefaultTokenFilter() {
        return defaultTokenFilter;
    }

    private String extractClientId(ServletRequest servletRequest) throws TokenFilterException {
        try {
            Optional ofNullable = Optional.ofNullable(servletRequest.getParameter(IdentityCommonConstants.OAUTH_JWT_ASSERTION));
            Optional ofNullable2 = Optional.ofNullable(servletRequest.getParameter("client_id"));
            if (ofNullable.isPresent()) {
                return SignedJWT.parse((String) ofNullable.get()).getJWTClaimsSet().getIssuer();
            }
            if (ofNullable2.isPresent()) {
                return (String) ofNullable2.get();
            }
            if (((HttpServletRequest) servletRequest).getHeader(IdentifierHandlerConstants.AUTH_HEADER) == null) {
                throw new TokenFilterException(400, "invalid_request", "Unable to find client id in the request");
            }
            if (((HttpServletRequest) servletRequest).getHeader(IdentifierHandlerConstants.AUTH_HEADER).split(IdentityCommonConstants.SPACE_SEPARATOR).length != 2) {
                log.error(BASIC_AUTH_ERROR_MSG);
                throw new TokenFilterException(400, "Could not retrieve Client ID", BASIC_AUTH_ERROR_MSG);
            }
            String str = new String(Base64.getUrlDecoder().decode(((HttpServletRequest) servletRequest).getHeader(IdentifierHandlerConstants.AUTH_HEADER).split(IdentityCommonConstants.SPACE_SEPARATOR)[1].getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8);
            if (str.split(":").length == 2) {
                return str.split(":")[0];
            }
            log.error(BASIC_AUTH_ERROR_MSG);
            throw new TokenFilterException(400, "Could not retrieve Client ID", BASIC_AUTH_ERROR_MSG);
        } catch (ParseException e) {
            throw new TokenFilterException(401, "invalid_request", "Error occurred while parsing the signed assertion", e);
        }
    }

    public static void setDefaultTokenFilter(DefaultTokenFilter defaultTokenFilter2) {
        defaultTokenFilter = defaultTokenFilter2;
    }

    public static void setValidators(List<OBIdentityFilterValidator> list) {
        validators = list;
    }

    public List<OBIdentityFilterValidator> getValidators() {
        return validators;
    }

    private ServletRequest cleanClientCertificateAndAppendTransportHeader(ServletRequest servletRequest) throws ServletException, OpenBankingException {
        if (!(servletRequest instanceof HttpServletRequest)) {
            throw new ServletException("Error occurred when handling the request, passed request is not a HttpServletRequest");
        }
        if (new IdentityCommonHelper().isTransportCertAsHeaderEnabled()) {
            log.debug("Retrieving client transport certificate from header.");
            String header = ((HttpServletRequest) servletRequest).getHeader(IdentityCommonUtil.getMTLSAuthHeader());
            if (StringUtils.isNotEmpty(header) && isClientCertificateEncoded()) {
                try {
                    log.debug("Received encoded client certificate. URLDecoding cert.");
                    header = URLDecoder.decode(header, IdentifierHandlerConstants.UTF_8);
                } catch (UnsupportedEncodingException e) {
                    throw new OpenBankingException("Cannot decode the transport certificate passed through the request", e);
                }
            }
            try {
                X509Certificate parseCertificate = CertificateUtils.parseCertificate(header);
                if (parseCertificate != null) {
                    RequestWrapper requestWrapper = new RequestWrapper((HttpServletRequest) servletRequest);
                    requestWrapper.setHeader(IdentityCommonUtil.getMTLSAuthHeader(), new IdentityCommonHelper().encodeCertificateContent(parseCertificate));
                    return requestWrapper;
                }
            } catch (OpenBankingException e2) {
                log.error("Invalid transport certificate received. Caused by, ", e2);
            } catch (CertificateEncodingException e3) {
                throw new ServletException("Certificate not valid", e3);
            }
        }
        return servletRequest;
    }

    public boolean isClientCertificateEncoded() {
        return Boolean.parseBoolean(String.valueOf(IdentityExtensionsDataHolder.getInstance().getConfigurationMap().getOrDefault(IdentityCommonConstants.CLIENT_CERTIFICATE_ENCODE, true)));
    }
}
